What is standard practice for a situation like if the users lost access to the email account they signed up with?
A large forum I post on was hacked recently and - after voluntarily shutting their site down for a month - they required password resets. If users did not have access to the email address they signed up with and couldn't otherwise verify their identity, they were not allowed to get their account back.
Unsurprisingly, post counts are down site-wide and the owners have reported a > 25% decrease in traffic.
You can ask for previous passwords, if there are any payments involved you can ask for the transaction ids, obviously if you have secret questions or verified mobile you can ask for that.
Of course all of those things can be used to gain access to the account by attacker, without actually knowing the password. See recent Cloudflare incident. Google will notify you about the recovery attempt, monitor for activity, and delay it for at least a week or so. So the attacker just have to wait till you go on offline vacation ;)
Really though, for something as low key as a forum you’re entirely justified to offer recovery only via email. The email providers already offer all those alternative recovery options. And of course you should prefer OpenID to avoid the issue altogether.
> Unsurprisingly, post counts are down site-wide and the owners have reported a > 25% decrease in traffic.
That’s because they took the site down for a month!
The problem isn't really your LinkedIn password ... I mean, someone could mess up your profile, send embarrassing messages and so on, but many many people will have used the same password for amazon, apple, paypal and other financial things, or used the same password for an email account which can be used to "recover" the password for one of those things.
I wonder what kind of bonkers executive at LI decided it would not be a good idea to do a sweeping wipe of all passwords on their systems...
(note to LI: this isn't real code; don't use)